Can't renew Let'sEncript Cert on my Ghost Blog


#1

Please fill out the fields below so we can help you better.

My domain is: blog.hatandslash.com

I ran this command:
sudo certbot certonly --webroot --webroot-path=/var/www/ghost -d blog.hatandslash.com -d www.blog.hatandslash.com

It produced this output:
'Failed authorization procedure. blog.hatandslash.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.hatandslash.com/.well-known/acme-challenge/N0DCgm6dmkv5Wv6KSoBUuFkf0zqOTD76pOR5INinHBY:
404 Not Found

404 Not Found



”, www.blog.hatandslash.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.blog.hatandslash.com/.well-known/acme-challenge/GxhMHQv903Ct6UJhIuA7hGMUzeRySxUs4_o5LlYjUlg:
404 Not Found

404 Not Found



IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: blog.hatandslash.com
   Type:   unauthorized
   Detail: Invalid response from
   http://blog.hatandslash.com/.well-known/acme-challenge/N0DCgm6dmkv5Wv6KSoBUuFkf0zqOTD76pOR5INinHBY:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.blog.hatandslash.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.blog.hatandslash.com/.well-known/acme-challenge/GxhMHQv903Ct6UJhIuA7hGMUzeRySxUs4_o5LlYjUlg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.'

My operating system is (include version): Ubuntu 16.04

My web server is (include version): Nginx 1.10

My hosting provider, if applicable, is: Digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Is the webroot correct? For example, if you place a test file in it, like /var/www/ghost/testfile, can you access it through http://www.blog.hatandslash.com/testfile?

By the way, for renewal, it should suffice to run just certbot renew


#3

@Osiris t returns a Security Connection error, so I’m not able to known if I’m able to reach it. Actually my other webpage was able to renew it’s certificate, but not this one.

If I run the sudo certbot renew:

Attempting to renew cert from /etc/letsencrypt/renewal/blog.hatandslash.com.conf produced an unexpected error: Failed authorization procedure. www.blog.hatandslash.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.blog.hatandslash.com/.well-known/acme-challenge/wLUno-Mj9nz7UlQ1MH-CAceCdQdujIOP95UE9Kx-xoc: "<html>
`404 Not Found

404 Not Found


", blog.hatandslash.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.hatandslash.com/.well-known/acme-challenge/dPosXCFqYO4js0eQmwErZcsc8TLfaSSVqxzRj_5pIHA: " 404 Not Found

404 Not Found


". Skipping. `

#4

And what about the test file I hinted to?


#5

@Osiris The browser returns a Your Connection is not private, so I’m not sure if I’m able to reach it or not


#6

You probably can make a temporary exception, or post the URL here.


#7

@Osiris http://www.blog.hatandslash.com/testfile this is the URL I’m using


#8

www.blog.hatandslash.com redirects to blog.hatandslash.com, which probably has a different webroot:

See:

osiris@desktop ~ $ curl -LI --insecure http://www.blog.hatandslash.com/testfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.0 (Ubuntu)
Date: Mon, 15 May 2017 17:53:59 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://blog.hatandslash.com/testfile

HTTP/2.0 404 
server: nginx/1.10.0 (Ubuntu)
date: Mon, 15 May 2017 17:54:00 GMT
content-type: text/html; charset=utf-8
content-length: 14
x-powered-by: Express
cache-control: no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0
etag: W/"e-0PvamFXRGHQPEQUzQwXBJg"
vary: Accept-Encoding

osiris@desktop ~ $ 

The x-powered-by: Express makes me believe every request on that host is parsed by the Express application. If you were running Apache, I would say “check for ReWrite rules in a .htaccess file”, but as you’re running nginx, I don’t have a clue how that is organised.

To make things short: you should search for a method to by-pass the "send everything through Express" rule somewhere for requests for /.well-known/acme-challenge/.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.